Argus is a local secrets vault. Treat it as security-sensitive software even during early development.
| Version | Supported |
|---|---|
0.1.x (main) |
Yes — best effort |
Please do not open public GitHub issues for security bugs.
- Use GitHub Security Advisories → Report a vulnerability on this repository.
- Include steps to reproduce, impact, and affected version/commit if known.
We aim to acknowledge reports within 7 days. Fixes and coordinated disclosure timelines depend on severity.
In scope
- Argus desktop app (Tauri + Rust core + WebView UI)
- SQLCipher database handling, authentication, secret/bucket commands
- Local data under
~/.argus/
Out of scope (for now)
- Third-party dependency vulnerabilities (report upstream; we will upgrade)
- Issues in apps that consume secrets after Argus injects them
- Attacks requiring full OS/kernel compromise (documented in docs/security.md)
See docs/security.md for threat model, crypto parameters, and release checklist.
We appreciate responsible disclosure. Researchers who follow this policy and give us reasonable time to fix issues before public disclosure will not be pursued for good-faith research.